Vulnerability Management in an Application Security World. AppSec DC November 12 th, The OWASP Foundation

Save this PDF as:
Size: px
Start display at page:

Download "Vulnerability Management in an Application Security World. AppSec DC November 12 th, 2009. The OWASP Foundation http://www.owasp."

Transcription

1 Vulnerability Management in an Application Security World AppSec DC November 12 th, 2009 Dan Cornell Global Membership Committee Denim Group (210) The Foundation

2 Agenda Background A Little Bit of Theatre You Found Vulnerabilities Now What? Vulnerability Management The Security Perspective Defect Management The Development Perspective Making it Work Case Studies Demo Questions 2

3 Background Dan Cornell : Sprajax, Open Review, San Antonio Chapter, Global Membership Committee Principal at Denim Group Software Developer: MCSD, Java 2 Certified Programmer Denim Group Application Development and Remediation Java and.net Application Security Assessments, penetration tests, code reviews, training, process consulting 3

4 A Little Bit of Theatre 4

5 A Little Bit of Theatre This is a one-act play entitled: We Found Some Vulnerabilities Need a volunteer 5

6 Audience Composition? Software Developer Infrastructure Security Application Security Project Manager Other All of It 6

7 You Found Vulnerabilities Now What? 7

8 You Found Vulnerabilities Now What? Security Industry is too focused on finding vulnerabilities Especially in application security this typically isn t hard Finding vulnerabilities is of some value Fixing vulnerabilities is of great value Mark Curphey: Are You a Builder or a Breaker Organization s goal is to understand their risk exposure and bring that in-line with their policies Finding vulnerabilities is only the first step on that road 8

9 Vulnerability Management The Security Perspective 9

10 Vulnerability Management The Security Perspective Steps: Policy Baseline Prioritize Shield Mitigate Maintain For more information see: 10

11 So How Are We Doing? Policy Does your organization have policies for Application Security? Or is your policy Use SSL and do the Top 10? Baseline What are your organization s testing strategies? Hopefully not Run scanner XYZ the day before an application goes into production Also do you actually know how many applications you have in production? Prioritize How do you determine the business risk? Critical, High, Medium, Low often does not account for enough context To defend everything is to defend nothing 11

12 So How Are We Doing? (continued) Shield Have you deployed technologies to help protect you in the interim? WAFs, IDS/IPF Mitigate Do your developers know what the actual problems are? Do your developers know how to fix them? When are these vulnerabilities going to be addressed and when do they go into production? Did the application development team actually fix the vulnerabilities when they said they did? Maintain Web applications are dynamic what is the ongoing testing strategy? 12

13 Process 13

14 Defect Management The Developer Perspective 14

15 Defect Management The Developer Perspective Every day has 8 hours 12 if pizza and Jolt Cola are made available A given defect is going to require X hours to fix (+/- 50%) Tell me which defects you want me to fix and I will be done when I am done (+/- 50%) 15

16 Why is Vulnerability Management Hard for Application-Level Vulnerabilities Actual business risk is challenging to determine People who find the problems do not typically know how to fix them Or at the very least they are not going to be the people who fix them People who have to fix the problems often do not understand them 16

17 Why is Vulnerability Management Hard for Application-Level Vulnerabilities Infrastructure fixes are typically cookie-cutter, Application fixes are much more varied Patches and configuration settings Versus a full custom software development effort Software development teams are already overtaxed Applications no longer under active development may not have development environments, deployment procedures, etc 17

18 Making It Work 18

19 Making It Work Application security vulnerabilities must be treated as software defects Use risk and effort to prioritize 19

20 Application Vulnerabilities as Software Defects Track them in your defect management system (bug tracker) Select defects to address for each development cycle or release Serious vulnerabilities may require out-of-cycle releases 20

21 Risk and Effort Risk crossed with remediation effort Risk: STRIDE and DREAD (there are others) Effort: Development hours and other resources 21

22 Risk Calculation Exercise Quantitative risk can be hard to calculate Weighted Cost = Likelihood of occurrence x Cost of occurrence What is the chance (%) that Amazon.com will have a publicly-accessible SQL injection vulnerability exploited within the next year? What would the financial damage be to Amazon.com if a publicly-accessible SQL injection vulnerability was exploited? 22

23 STRIDE Spoofing Identity Tampering with Data Repudiation Information Disclosure Denial of Service Elevation or Privilege 23

24 DREAD Damage Potential Reproducibility Exploitability Affected Users Discoverability Assign levels: 1, 2, 3 with 3 being the most severe Average the level of all 5 factors Key: Define your DREAD levels up-front and apply consistently Organization-wide DREAD baseline Application-specific DREAD standards 24

25 Level of Effort Calculation Varies widely by type of vulnerability and number of vulnerabilities Logical Vulnerabilities versus Technical Vulnerabilities Technical Vulnerabilities tend to be based on coding issues Injection flaws, XSS, configuration issues Logical Vulnerabilities are specific to the application Depend on business logic and business context Authentication, authorization, trust Don t guess - build a Work Breakdown Structure (WBS) 25

26 Estimating Technical Vulnerabilities Go back to coding phase of SDLC Time per fix x Number of issues Grouping similar vulnerabilities into a smaller number of defects can aid communication Verification typically straightforward Application should behave as it always did, except that it now handles problem inputs correctly In some cases, the application depends on the vulnerable behavior 26

27 Estimating Logical Vulnerabilities May have to go farther back in the SDLC Coding Architecture/Design Even Requirements Fix strategies are more varied than technical vulnerabilities Change may require more broad change management initiatives Interaction between applications and systems within your organization Interaction between applications and systems in other organizations 27

28 Great Remediation Resource: ESAPI Enterprise Security API Provide developers with an easy-to-understand API allowing them to code securely Encoding functions are great for remediating technical flaws Framework has components that help remediate logical flaws 28

29 Case Studies 29

30 Case Studies Authentication FUBAR Legacy Nightmares When Tools Fail 30

31 Authentication FUBAR Situation Several public-facing flagship applications under moderate ongoing development Vulnerabilities Various SQL injection and XSS Authorization problems Pervasive poor deployment practices (backup files, configuration issues) Verbose HTML comments with sensitive information Major, fundamental issue with Authentication Along the line of using SSNs to authenticate users to a system Connected to many partner organizations 31

32 Authentication FUBAR (continued) Approach Fix the serious SQL injection and publicly-accessible XSS immediately in an out-of-cycle release Address authorization problems and some other issues during next planned release Major full lifecycle, change management initiative to address Authentication issue Defer remaining issues as nice to fix 32

33 Legacy Nightmares Situation 10 year old application with hundreds of pages Has been on end-of-life status for 5 years NO active development Vulnerabilities Hundreds of SQL injection, XSS Authorization issues Approach Sit in the corner and cry softly for a few minutes Identify most critical SQL injection and XSS issues for code-level fixes Fix authorization issues Rely on WAF to address remaining issues 33

34 When Tools Fail Situation Thick-client application with a local database Connects to web services and ERP Vulnerabilities Code scanner identified many SQL injection vulnerabilities affecting the local database Code scanner identified some quality issues that could impact security Manual code inspection identified some frightening design issues affecting attack surface Approach Ignore local SQL injection issues for now Ignore quality issues for now Address design issues before the initial release 34

35 Recommendations Policy Have actual policies for secure software development and risk acceptance Must go beyond Top 10 or SANS 25 Tool classifications can be incorporated into these standards, but the standards must be business-focused rather than technology-focused Pennies spent on prevention save dollars spent on cures Baseline Know your application portfolio Have an ongoing program of controls in place Prioritize Static testing Dynamic testing Involve development teams Determine business risk Determine fix level of effort 35

36 Recommendations (continued) Shield Consider using adding signatures to WAFs or web-relevant IDS/IPS systems Understand that these do not address the underlying problem Mitigate Features > Performance > Security (unfortunate fact of life in many cases) Communicate the business risk and compliance implications Work into development schedules as resources are available Consider out-of-cycle releases for serious vulnerabilities Maintain Web applications are dynamic and attacks evolve this is an ongoing process 36

37 Demo 37

38 Questions? Dan Cornell (210) Web: Blog: denimgroup.typepad.com 38

Vulnerability Management in an Application Security World. March 16 th, 2009

Vulnerability Management in an Application Security World. March 16 th, 2009 Vulnerability Management in an Application Security World OWASP Minneapolis / St. Paul March 16 th, 2009 Agenda Background A Little Bit of Theatre You Found Vulnerabilities Now What? Vulnerability Management

More information

Vulnerability Management in an Application Security World. January 29 th, 2009

Vulnerability Management in an Application Security World. January 29 th, 2009 Vulnerability Management in an Application Security World OWASP San Antonio January 29 th, 2009 Agenda Background A Little Bit of Theatre You Found Vulnerabilities Now What? Vulnerability Management The

More information

Web Application Remediation. OWASP San Antonio. March 28 th, 2007

Web Application Remediation. OWASP San Antonio. March 28 th, 2007 Web Application Remediation OWASP San Antonio March 28 th, 2007 Agenda Introduction The Problem: Vulnerable Web Applications Goals Example Process Overview Real World Issues To Address Conclusion/Questions

More information

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP Threat Modeling Categorizing the nature and severity of system vulnerabilities John B. Dickson, CISSP What is Threat Modeling? Structured approach to identifying, quantifying, and addressing threats. Threat

More information

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006 Introduction to Web Application Security Microsoft CSO Roundtable Houston, TX September 13 th, 2006 Overview Background What is Application Security and Why Is It Important? Examples Where Do We Go From

More information

Agile and Secure: OWASP AppSec Seattle Oct 2006. The OWASP Foundation http://www.owasp.org/

Agile and Secure: OWASP AppSec Seattle Oct 2006. The OWASP Foundation http://www.owasp.org/ Agile and Secure: Can We Be Both? OWASP AppSec Seattle Oct 2006 Dan Cornell, OWASP San Antonio Leader Principal, Denim Group Ltd. dan@denimgroup.com (210) 572-4400 Copyright 2006 - The OWASP Foundation

More information

Agile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007

Agile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007 Agile and Secure Can We Be Both? Chicago OWASP June 20 th, 2007 The Agile Practitioner s Dilemma Agile Forces: Be more responsive to business concerns Increase the frequency of stable releases Decrease

More information

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com Threat Modeling "Threat modeling at the design phase is really the only way to

More information

Application Security Program Management with Vulnerability Manager

Application Security Program Management with Vulnerability Manager Application Security Program Management with Vulnerability Manager Bryan Beverly June 2 nd, 2010 Today's Presentation The challenges of application security scanning and remediation What Vulnerability

More information

Application Portfolio Risk Ranking Banishing FUD With Structure and Numbers

Application Portfolio Risk Ranking Banishing FUD With Structure and Numbers Application Portfolio Risk Ranking Banishing FUD With Structure and Numbers Dan Cornell OWASP AppSec DC 2010 November 11 th, 2010 Overview The Problem Information Gathering Application Scoring Risk Rank

More information

Securing SharePoint (TRISC) Email: dan@denimgroup.com Twitter: @danielcornell. March 24 th, 2009

Securing SharePoint (TRISC) Email: dan@denimgroup.com Twitter: @danielcornell. March 24 th, 2009 Securing SharePoint Texas Regional Infrastructure Security Conference (TRISC) Dan Cornell Email: dan@denimgroup.com Twitter: @danielcornell March 24 th, 2009 Agenda Background SharePoint Basics Securing

More information

Streamlining Application Vulnerability Management: Communication Between Development and Security Teams

Streamlining Application Vulnerability Management: Communication Between Development and Security Teams Streamlining Application Vulnerability Management: Communication Between Development and Security Teams October 13, 2012 OWASP Boston Application Security Conference Agenda Introduction / Background Vulnerabilities

More information

Using Sprajax to Test AJAX. OWASP AppSec Seattle Oct 2006. The OWASP Foundation http://www.owasp.org/

Using Sprajax to Test AJAX. OWASP AppSec Seattle Oct 2006. The OWASP Foundation http://www.owasp.org/ Using Sprajax to Test AJAX Security OWASP AppSec Seattle Oct 2006 Dan Cornell, OWASP San Antonio Leader Principal, Denim Group, Ltd. dan@denimgroup.com (210) 572-4400 Copyright 2006 - The OWASP Foundation

More information

Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?

Remediation Statistics: What Does Fixing Application Vulnerabilities Cost? Remediation Statistics: What Does Fixing Application Vulnerabilities Cost? Dan Cornell Denim Group, Ltd. Session ID: ASEC-302 Session Classification: Intermediate Agenda An Innocent Question Finding a

More information

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006 Turning the Battleship: How to Build Secure Software in Large Organizations Dan Cornell May 11 th, 2006 Overview Background and key questions Quick review of web application security The web application

More information

Application Security and the SDLC. Dan Cornell Denim Group, Ltd. www.denimgroup.com

Application Security and the SDLC. Dan Cornell Denim Group, Ltd. www.denimgroup.com Application Security and the SDLC Dan Cornell Denim Group, Ltd. www.denimgroup.com Overview Background What is Application Security and Why is It Important? Specific Reference Examples Integrating Security

More information

Adobe Systems Incorporated

Adobe Systems Incorporated Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...

More information

Skeletons in the Closet: Securing Inherited Applications

Skeletons in the Closet: Securing Inherited Applications Skeletons in the Closet: Securing Inherited Applications Baltimore ISSA April 27, 2011 John B. Dickson, CISSP #4649 Overview for Today s Session The Problem Information Gathering Application Scoring Risk

More information

Static Analysis Techniques for Testing Application Security. OWASP San Antonio January 31 st, 2008

Static Analysis Techniques for Testing Application Security. OWASP San Antonio January 31 st, 2008 Static Analysis Techniques for Testing Application Security OWASP San Antonio January 31 st, 2008 Dan Cornell dan@denimgroup.com Agenda What is Application Security? What is Static Analysis? Static versus

More information

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis Integrating Security into the Application Development Process Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis Agenda Seek First to Understand Source Code Security AppSec and SQA Analyzing

More information

Understanding and evaluating risk to information assets in your software projects

Understanding and evaluating risk to information assets in your software projects Understanding and evaluating risk to information assets in your software projects ugh.. what a mouthful Dana Epp Windows Security MVP Who am I? Microsoft Windows Security MVP Information Security Professional

More information

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With

More information

Threat Modeling. 1. Some Common Definition (RFC 2828)

Threat Modeling. 1. Some Common Definition (RFC 2828) Threat Modeling Threat modeling and analysis provides a complete view about the security of a system. It is performed by a systematic and strategic way for identifying and enumerating threats to a system.

More information

SAFECode Security Development Lifecycle (SDL)

SAFECode Security Development Lifecycle (SDL) SAFECode Security Development Lifecycle (SDL) Michael Howard Microsoft Matthew Coles EMC 15th Semi-annual Software Assurance Forum, September 12-16, 2011 Agenda Introduction to SAFECode Security Training

More information

Do You Have a Scanner or a Scanning Program?

Do You Have a Scanner or a Scanning Program? Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group Software developer by background (Java,.NET, etc) OWASP San Antonio 15 years experience in software architecture,

More information

Application Security and the SDLC. Dan Cornell Denim Group, Ltd. www.denimgroup.com

Application Security and the SDLC. Dan Cornell Denim Group, Ltd. www.denimgroup.com Application Security and the SDLC Dan Cornell Denim Group, Ltd. www.denimgroup.com Overview Background What is Application Security and Why is It Important? Specific Reference Examples Integrating Security

More information

Application Security Testing

Application Security Testing Tstsec - Version: 1 09 July 2016 Application Security Testing Application Security Testing Tstsec - Version: 1 4 days Course Description: We are living in a world of data and communication, in which the

More information

Static Analysis Techniques for Testing Application Security. OWASP Austin March 25 th, 2008

Static Analysis Techniques for Testing Application Security. OWASP Austin March 25 th, 2008 Static Analysis Techniques for Testing Application Security OWASP Austin March 25 th, 2008 Dan Cornell dan@denimgroup.com Agenda What is Application Security? What is Static Analysis? Static versus Dynamic

More information

Learning objectives for today s session

Learning objectives for today s session Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand what a black box and white box assessment is and how they differ Identify

More information

Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Together. Dan Cornell. CTO, Denim Group@danielcornell

Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Together. Dan Cornell. CTO, Denim Group@danielcornell Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Together Dan Cornell CTO, Denim Group@danielcornell This presentation contains information about DHS-funded research: Topic Number:

More information

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright

More information

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand different types of application assessments and how they differ Be

More information

IBM Rational Software

IBM Rational Software IBM Rational Software Development Conference 2008 Augmenting Dynamic Application Security Testing with Static Analysis Dan Cornell Principal, Denim Group, Ltd. dan@denimgroup.com AS14 2007 IBM Corporation

More information

The AppSec How-To: 10 Steps to Secure Agile Development

The AppSec How-To: 10 Steps to Secure Agile Development The AppSec How-To: 10 Steps to Secure Agile Development Source Code Analysis Made Easy 10 Steps In Agile s fast-paced environment and frequent releases, security reviews and testing sound like an impediment

More information

BEST PRACTICES FOR SECURITY TESTING TOP 10 RECOMMENDED PRACTICES

BEST PRACTICES FOR SECURITY TESTING TOP 10 RECOMMENDED PRACTICES BEST PRACTICES FOR SECURITY TESTING TOP 10 RECOMMENDED PRACTICES Disclaimer!! Best Practices are Not rules or rigid standards General solutions to common problems Guidelines and common reference that can

More information

Building a Corporate Application Security Assessment Program

Building a Corporate Application Security Assessment Program Building a Corporate Application Security Assessment Program Rob Jerdonek and Topher Chung Corporate Information Security Intuit Inc. July 23, 2009 Copyright The Foundation Permission is granted to copy,

More information

Managing Your Application Security Program with the ThreadFix Ecosystem!! Dan Cornell! @danielcornell

Managing Your Application Security Program with the ThreadFix Ecosystem!! Dan Cornell! @danielcornell Managing Your Application Security Program with the ThreadFix Ecosystem!! Dan Cornell! @danielcornell This presentation contains information about DHS-funded research: Topic Number: H-SB013.1-002 - Hybrid

More information

An Introduction to Application Security In ASP.NET Environments. Houston.NET User Group. February 23 rd, 2006

An Introduction to Application Security In ASP.NET Environments. Houston.NET User Group. February 23 rd, 2006 An Introduction to Application Security In ASP.NET Environments Houston.NET User Group February 23 rd, 2006 Overview Background What is Application Security and Why Is It Important? Examples ASP.NET Specific

More information

Web application testing

Web application testing CL-WTS Web application testing Classroom 2 days Testing plays a very important role in ensuring security and robustness of web applications. Various approaches from high level auditing through penetration

More information

Application Vulnerability Management

Application Vulnerability Management Application Vulnerability Management Application security teams uses automated static and dynamic test results as well as manual testing results to assess the security of an application Each test delivers

More information

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM Agenda Introduction to Application Hacking Demonstration of Attack Tool Common Web Application Attacks Live Bank Hacking Demonstration

More information

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011 Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing

More information

Software Development: The Next Security Frontier

Software Development: The Next Security Frontier James E. Molini, CISSP, CSSLP Microsoft Member, (ISC)² Advisory Board of the Americas jmolini@microsoft.com http://www.codeguard.org/blog Software Development: The Next Security Frontier De-perimiterization

More information

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Danny Allan, strategic research analyst, IBM Software Group Contents 2 Introduction

More information

Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats

Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats Mohamed Ali Saleh Abomhara University of Agder mohamed.abomhara@uia.no Winter School in Information Security, Finse May

More information

Benchmarking Web Application Scanners for YOUR Organization

Benchmarking Web Application Scanners for YOUR Organization Benchmarking Web Application Scanners for YOUR Organization Dan Cornell! CTO, Denim Group! @danielcornell My Background Dan Cornell, founder and CTO of Denim Group Software developer by background (Java,.NET,

More information

Microsoft STRIDE (six) threat categories

Microsoft STRIDE (six) threat categories Risk-based Security Testing: Prioritizing Security Testing with Threat Modeling This lecture provides reference material for the book entitled The Art of Software Security Testing by Wysopal et al. 2007

More information

How-to-Guide for Software Security Vulnerability Remediation. by Dan Cornell

How-to-Guide for Software Security Vulnerability Remediation. by Dan Cornell for Software Security Vulnerability Remediation by Dan Cornell Executive Summary The security industry often pays a tremendous amount of attention to finding security vulnerabilities. This is done via

More information

Strategic Information Security. Attacking and Defending Web Services

Strategic Information Security. Attacking and Defending Web Services Security PS Strategic Information Security. Attacking and Defending Web Services Presented By: David W. Green, CISSP dgreen@securityps.com Introduction About Security PS Application Security Assessments

More information

Information Systems Security

Information Systems Security Information Systems Security Lecture 4: Security Engineering Prof. Dr. Christoph Karg Aalen University of Applied Sciences Department of Computer Science 11.10.2015 Learning Objective Learning Objective

More information

Threat modeling. Tuomas Aura T-110.4206 Information security technology. Aalto University, autumn 2011

Threat modeling. Tuomas Aura T-110.4206 Information security technology. Aalto University, autumn 2011 Threat modeling Tuomas Aura T-110.4206 Information security technology Aalto University, autumn 2011 Threats Threat = something bad that can happen Given an system or product what are the threats against

More information

Development Processes (Lecture outline)

Development Processes (Lecture outline) Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development

More information

Secure By Design: Security in the Software Development Lifecycle

Secure By Design: Security in the Software Development Lifecycle Secure By Design: Security in the Software Development Lifecycle Twin Cities Rational User s Group Security Briefing by Arctec Group (www.arctecgroup.net) Integrating Security into Software Development

More information

Threat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda

Threat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda Threat Modeling/ Security Testing Presented by: Tarun Banga Sr. Manager Quality Engineering, Adobe Quality Leader (India) Adobe Systems India Pvt. Ltd. Agenda Security Principles Why Security Testing Security

More information

Integrating Vulnerability Scanning into the SDLC

Integrating Vulnerability Scanning into the SDLC Integrating Vulnerability Scanning into the SDLC Eric Johnson JavaOne Conference 10/26/2015 1 Eric Johnson (@emjohn20) Senior Security Consultant Certified SANS Instructor Certifications CISSP, GWAPT,

More information

ISSECO Syllabus Public Version v1.0

ISSECO Syllabus Public Version v1.0 ISSECO Syllabus Public Version v1.0 ISSECO Certified Professional for Secure Software Engineering Date: October 16th, 2009 This document was produced by the ISSECO Working Party Syllabus Introduction to

More information

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development

More information

Threat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN

Threat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) Secappdev 2007 1 Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process

More information

Threat Modeling Architecting & Designing with Security in Mind OWASP. The OWASP Foundation http://www.owasp.org. Venkatesh Jagannathan

Threat Modeling Architecting & Designing with Security in Mind OWASP. The OWASP Foundation http://www.owasp.org. Venkatesh Jagannathan Threat Modeling Architecting & Designing with Security in Mind Venkatesh Jagannathan -Chennai Chapter Leader venki@owasp.org heyvenki@gmail.com Copyright The Foundation Permission is granted to copy, distribute

More information

The monsters under the bed are real... 2004 World Tour

The monsters under the bed are real... 2004 World Tour Web Hacking LIVE! The monsters under the bed are real... 2004 World Tour Agenda Wichita ISSA August 6 th, 2004 The Application Security Dilemma How Bad is it, Really? Overview of Application Architectures

More information

Course Modules for Software Security

Course Modules for Software Security Course Modules for Software Security Austin Frazier, Xiaohong Yuan, Yaohang Li, Stephan Hudson, North Carolina A&T State University Abstract Each year the reported number of security vulnerabilities increases

More information

Mobile Applications and Application Framework Security Dan Cornell

Mobile Applications and Application Framework Security Dan Cornell Mobile Applications and Application Framework Security Dan Cornell My Background Dan Cornell Founder and CTO of Denim Group Software developer by background (Java,.NET, etc) Denim Group Build software

More information

elearning for Secure Application Development

elearning for Secure Application Development elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security

More information

Recall the Security Life Cycle

Recall the Security Life Cycle Lecture 7: Threat Modeling CS 436/636/736 Spring 2014 Nitesh Saxena Recall the Security Life Cycle Threats Policy Specification Design Implementation Operation and Maintenance So far what we have learnt

More information

Standard: Web Application Development

Standard: Web Application Development Information Security Standards Web Application Development Standard IS-WAD Effective Date TBD Email security@sjsu.edu # Version 2.0 Contact Mike Cook Phone 408-924-1705 Standard: Web Application Development

More information

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle A Strategic Approach to Web Application Security The importance of a secure software development lifecycle Rachna Goel Technical Lead Enterprise Technology Web application security is clearly the new frontier

More information

Hybrid Analysis Mapping:! Making Security and Development Tools Play Nice Together!! Dan Cornell! CTO, Denim Group! @danielcornell

Hybrid Analysis Mapping:! Making Security and Development Tools Play Nice Together!! Dan Cornell! CTO, Denim Group! @danielcornell ! Hybrid Analysis Mapping:! Making Security and Development Tools Play Nice Together!! Dan Cornell! CTO, Denim Group! @danielcornell This presentation contains information about DHS-funded research: Topic

More information

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis Document Scope This document aims to assist organizations comply with PCI DSS 3 when it comes to Application Security best practices.

More information

Vulnerability management lifecycle: defining vulnerability management

Vulnerability management lifecycle: defining vulnerability management Framework for building a vulnerability management lifecycle program http://searchsecurity.techtarget.com/magazinecontent/framework-for-building-avulnerability-management-lifecycle-program August 2011 By

More information

white SECURITY TESTING WHITE PAPER

white SECURITY TESTING WHITE PAPER white SECURITY TESTING WHITE PAPER Contents: Introduction...3 The Need for Security Testing...4 Security Scorecards...5 Test Approach... 11 Framework... 16 Project Initiation Process... 17 Conclusion...

More information

8070.S000 Application Security

8070.S000 Application Security 8070.S000 Application Security Last Revised: 02/26/15 Final 02/26/15 REVISION CONTROL Document Title: Author: File Reference: Application Security Information Security 8070.S000_Application_Security.docx

More information

Product Roadmap. Sushant Rao Principal Product Manager Fortify Software, a HP company

Product Roadmap. Sushant Rao Principal Product Manager Fortify Software, a HP company Product Roadmap Sushant Rao Principal Product Manager Fortify Software, a HP company Agenda Next Generation of Security Analysis Future Directions 2 Currently under investigation and not guaranteed to

More information

Production Security and the SDLC. Mark Kraynak Sr. Dir. Strategic Marketing Imperva mark@imperva.com

Production Security and the SDLC. Mark Kraynak Sr. Dir. Strategic Marketing Imperva mark@imperva.com Production Security and the SDLC Mark Kraynak Sr. Dir. Strategic Marketing Imperva mark@imperva.com Building Security Into the Development Process Production Test existing deployed apps Eliminate security

More information

FISMA / NIST 800-53 REVISION 3 COMPLIANCE

FISMA / NIST 800-53 REVISION 3 COMPLIANCE Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security

More information

Functional vs. Load Testing

Functional vs. Load Testing Best Practices in Performance & Security Testing March 26, 2009 CVN www.sonata-software.com Functional vs. Load Testing Functional test Objective Functionality Example Do business processes function properly

More information

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014 Security Testing Vulnerability Assessment vs Penetration Testing Gabriel Mihai Tanase, Director KPMG Romania 29 October 2014 Agenda What is? Vulnerability Assessment Penetration Testing Acting as Conclusion

More information

Rolling out an Effective Application Security Assessment Program. Jason Taylor, CTO jtaylor@securityinnovation.com

Rolling out an Effective Application Security Assessment Program. Jason Taylor, CTO jtaylor@securityinnovation.com Rolling out an Effective Application Security Assessment Program Jason Taylor, CTO jtaylor@securityinnovation.com About Security Innovation Authority in Application Security 10+ years of research and assessment

More information

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security White Paper Automating Your Code Review: Moving to a SaaS Model for Application Security Contents Overview... 3 Executive Summary... 3 Code Review and Security Analysis Methods... 5 Source Code Review

More information

Mobile Application Threat Analysis

Mobile Application Threat Analysis The OWASP Foundation http://www.owasp.org Mobile Application Threat Analysis Ari Kesäniemi Nixu Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under

More information

Smart (and safe) Lighting:

Smart (and safe) Lighting: Smart (and safe) Lighting: An Overview of Cyber Security October 29, 2015 Jason Brown CISO, Merit Network Agenda 2 The New Normal Discuss Methodologies of Security Recap Q & A Target Hack 3 40,000 credit

More information

Application Firewall Overview. Published: February 2007 For the latest information, please see http://www.microsoft.com/iag

Application Firewall Overview. Published: February 2007 For the latest information, please see http://www.microsoft.com/iag Application Firewall Overview Published: February 2007 For the latest information, please see http://www.microsoft.com/iag Contents IAG Application Firewall: An Overview... 1 Features and Benefits... 2

More information

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group, Secure and Resilient Software Development Mark S. Merkow Lakshmikanth Raghavan CRC Press Taylor& Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor St Francis Group, an Informs

More information

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited Contemporary Web Application Attacks Ivan Pang Senior Consultant Edvance Limited Agenda How Web Application Attack impact to your business? What are the common attacks? What is Web Application Firewall

More information

From Rivals to BFF: WAF & VA Unite OWASP 07.23.2009. The OWASP Foundation http://www.owasp.org

From Rivals to BFF: WAF & VA Unite OWASP 07.23.2009. The OWASP Foundation http://www.owasp.org From Rivals to BFF: WAF & VA Unite 07.23.2009 Brian Contos, Chief Security Strategist Imperva Inc. brian.contos@imperva.com +1 (650) 832.6054 Copyright The Foundation Permission is granted to copy, distribute

More information

Seven Practical Steps to Delivering More Secure Software. January 2011

Seven Practical Steps to Delivering More Secure Software. January 2011 Seven Practical Steps to Delivering More Secure Software January 2011 Table of Contents Actions You Can Take Today 3 Delivering More Secure Code: The Seven Steps 4 Step 1: Quick Evaluation and Plan 5 Step

More information

Reducing Application Vulnerabilities by Security Engineering

Reducing Application Vulnerabilities by Security Engineering Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information

More information

INSIDE. Management Process. Symantec Corporation TM. Best Practices Roles & Responsibilities. Vulnerabilities versus Exposures.

INSIDE. Management Process. Symantec Corporation TM. Best Practices Roles & Responsibilities. Vulnerabilities versus Exposures. Symantec Corporation TM Symantec Product Vulnerability Management Process Best Practices Roles & Responsibilities INSIDE Vulnerabilities versus Exposures Roles Contact and Process Information Threat Evaluation

More information

2015 Vulnerability Statistics Report

2015 Vulnerability Statistics Report 2015 Vulnerability Statistics Report Introduction or bugs in software may enable cyber criminals to exploit both Internet facing and internal systems. Fraud, theft (financial, identity or data) and denial-of-service

More information

An Introduction to Application Security in J2EE Environments

An Introduction to Application Security in J2EE Environments An Introduction to Application Security in J2EE Environments Dan Cornell Denim Group, Ltd. www.denimgroup.com Overview Background What is Application Security and Why is It Important? Specific Reference

More information

The Web AppSec How-to: The Defenders Toolbox

The Web AppSec How-to: The Defenders Toolbox The Web AppSec How-to: The Defenders Toolbox Web application security has made headline news in the past few years. Incidents such as the targeting of specific sites as a channel to distribute malware

More information

Excellence Doesn t Need a Certificate. Be an. Believe in You. 2014 AMIGOSEC Consulting Private Limited

Excellence Doesn t Need a Certificate. Be an. Believe in You. 2014 AMIGOSEC Consulting Private Limited Excellence Doesn t Need a Certificate Be an 2014 AMIGOSEC Consulting Private Limited Believe in You Introduction In this age of emerging technologies where IT plays a crucial role in enabling and running

More information

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office CSUSB, Information Security & Emerging Technologies Office Last Revised: 03/17/2015 Draft REVISION CONTROL Document Title: Author: File Reference: CSUSB Web Application Security Standard Javier Torner

More information

WHITEPAPER. Nessus Exploit Integration

WHITEPAPER. Nessus Exploit Integration Nessus Exploit Integration v2 Tenable Network Security has committed to providing context around vulnerabilities, and correlating them to other sources, such as available exploits. We currently pull information

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

Application Security in the Software Development Lifecycle

Application Security in the Software Development Lifecycle Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO

More information

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST. CENTER FOR ADVANCED SECURITY TRAINING 619 Advanced SQLi Attacks and Countermeasures Make The Difference About Center of Advanced Security Training () The rapidly evolving information security landscape

More information

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences

More information

Integrating Web Application Security into the IT Curriculum

Integrating Web Application Security into the IT Curriculum Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University Topics 1. 2. 3. 4. Why should we teach web application security? What material do we need to cover?

More information

We protect you applications! No, you don t. Digicomp Hacking Day 2013 May 16 th 2013

We protect you applications! No, you don t. Digicomp Hacking Day 2013 May 16 th 2013 We protect you applications! No, you don t Digicomp Hacking Day 2013 May 16 th 2013 Sven Vetsch Partner & CTO at Redguard AG www.redguard.ch Specialized in Application Security (Web, Web-Services, Mobile,

More information

Passing PCI Compliance How to Address the Application Security Mandates

Passing PCI Compliance How to Address the Application Security Mandates Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

More information